Skip to content
by Rakesh Waghela

14.5 Security and compliance stack

Identity

Section titled “Identity”
  • Internal users: SSO via Google Workspace / Microsoft Entra ID + Okta. MFA mandatory.
  • Borrower: mobile OTP + Aadhaar.
  • Partner: mTLS + API key + signed request.

Authorisation

Section titled “Authorisation”
  • RBAC centralised; policy-as-data.
  • Periodic access review quarterly.
  • Joiner / mover / leaver workflow integrated with HR.

Secrets

Section titled “Secrets”
  • AWS Secrets Manager + KMS for managed.
  • HashiCorp Vault as alternative.
  • No secrets in code, image, or env files in repo.
  • Rotation automated where vendor supports.

Encryption

Section titled “Encryption”
  • TLS 1.2+ in transit.
  • AES-256 at rest with KMS-managed keys.
  • mTLS for sensitive internal paths in prod.

PII vault

Section titled “PII vault”
  • Tokenisation service — accept PII; return token; clear text never leaves vault.
  • Detokenisation audited per call.
  • Masking layer for logs and dashboards.

Audit log

Section titled “Audit log”
  • Service-level audit events emitted on every state change.
  • Hash-chained for integrity.
  • Immutable storage in S3 with Object Lock.

SIEM / SOC

Section titled “SIEM / SOC”
  • Logs to SIEM (Datadog / Splunk / Wazuh).
  • 24×7 monitoring by internal or outsourced SOC.
  • Threat intelligence feeds integrated.

Vulnerability management

Section titled “Vulnerability management”
  • Dependency scanning in CI (OWASP DC).
  • Container scanning at build + at runtime.
  • Infrastructure scanning (CloudSploit / Prowler / native AWS Security Hub).
  • Pen test annual by external party.

Incident response

Section titled “Incident response”
  • Runbook per type.
  • On-call rotation.
  • RBI reporting <= 6 hours for material cyber incidents per IT MD.
  • Post-incident RCA mandatory.

DLP

Section titled “DLP”
  • Endpoint DLP for employees (managed device).
  • Network DLP at egress.
  • Database activity monitoring for sensitive tables.

Compliance mapping

Section titled “Compliance mapping”
  • Maintain a control mapping document: RBI IT MD clause × control × evidence.
  • Updated on every regulatory or control change.
  • Reviewed annually by external auditor.

Backup integrity

Section titled “Backup integrity”
  • Backup encrypted with separate KMS keys.
  • Test restore quarterly.
  • Off-site copy in Indian DR region.

Cloud security posture

Section titled “Cloud security posture”
  • CSPM tools (AWS Security Hub / Prowler / Wiz).
  • Continuous compliance monitoring against CIS / RBI-aligned benchmarks.
  • Drift detection for infrastructure.

SDLC security

Section titled “SDLC security”
  • Threat model per major feature.
  • Security review at design.
  • Code review checklist with security items.
  • SAST / DAST / SCA automated.
  • Bug bounty at scale.
Section titled “Compliance with related laws”
  • DPDP Act 2023 — see 2.12.
  • IT Act 2000 — eSign / digital records.
  • PMLA + KYC MD — see 2.7.
  • RBI IT MD — see 2.13.
  • RBI Outsourcing MD — see 2.14.